EU interior ministers welcome mandatory chat control for all smartphones - https://news.ycombinator.com/item?id=29200506 - Nov 2021 (59 comments)
EU Chatcontrol 2.0 [video] - https://news.ycombinator.com/item?id=29066894 - Nov 2021 (197 comments)
Messaging and chat control - https://news.ycombinator.com/item?id=28115343 - Aug 2021 (317 comments)
EU Parliament approves mass surveillance of private communications - https://news.ycombinator.com/item?id=27759814 - July 2021 (11 comments)
European Parliament approves mass surveillance of private communication - https://news.ycombinator.com/item?id=27753727 - July 2021 (415 comments)
Indiscriminate messaging and chatcontrol: Last chance to protest - https://news.ycombinator.com/item?id=27736435 - July 2021 (104 comments)
IT companies warn in open letter: EU wants to ban encryption - https://news.ycombinator.com/item?id=26825653 - April 2021 (217 comments)
Besides that, all they will end up with is more information on how to make chocolate cookies and who is sleeping with who, it won't tell them where the next terror attack is going to take place or who will do it.
No, but I'm convinced this isn't the goal. The goal is to monitor the unrest of the people.
The rest of it is likely the "ability to just pull up data on anyone at any time just cause".
The old school, "we know where you live, what you said to your husband, and that you had marmalade jam with your toast this morning" spy insider knowledge gambit is a strong manipulation tactic whenever you need to convince someone to "just comply".
Having inside knowledge of mundane things that are assumed to be private hold a lot more sway than you'd think. It can make threatening ordinary people a lot easier. Do governments do this often? Probably not, but when they want to interrogate someone, I can almost guarantee they like to be able to pull up everything private they can as leverage in an interrogation.
Is this useful for national security? Probably not, but since when do governments actually care about national security when they can roll around on a power trip and feel big and godly?
And who knows, maybe you would become a political figure or something of that caliber down the road. You just never know. Don't assume you don't need as much privacy as possible.
By you, I'm speaking in general.
They don't want new powers, they want their old powers back. When I understood that, I enlightened.
The tools we have made are quite dangerous for this and that's one more reason why we as the techies responsible for the creation of such tools should ensure that this can never ever happen. It's also one the reasons why Phil Zimmermann is one of my personal heroes.
I'm not sure I agree but at least that isn't outright ridiculous like the 18'th century would be.
This knowledge was much leaner when compared to today, but there were less population to begin with, so that knowledge was enough.
Crowded countries like China had its social norms evolved accordingly and differently due to this population density.
Increase in the speed of communication and in overall population allowed greater dissemination in shorter time, that's it. Before, more manual methods worked well enough to get a sniff of these activities, but it doesn't work now. So, governments want their cake back.
CIA did mass surveillance on state level with Crypto AG. Russians bugged whole fleet of diplomatic IBM typewriters. Intelligence agencies listened people via central heating pipes, insiders were planted inside suspected groups... The ways were numerous, and still are. The people, society and technology is evolving. So the game.
I don't support the initiative, but that's the state of the play right now.
This might be backwards when looked from there, but this is how it looks from here.
Nope. E2E communications have buried a lot of stuff proverbially underground. The leaks are reduced. Hence, governments lost the ability to monitor as they liked. There's much more and invisible communication going on when compared to the past, and it's much more detailed and direct. Also its volume has increased exponentially.
So monitoring that stuff got way harder, and they want the easy way back.
Notice the part about where the conspiring here took place and how those conversations were discovered and revealed. Sure two people can communicate over E2E but if you want to start a movement (something that actually would matter rather than just complaining to your bestie), you need to open it up to the public which turns out also opens up the door to people spying on you.
Maybe you're too young to remember a time when no one carried a GPS in their pocket, most payments were done in cash and only banks had CCTV cameras. I'd love to see states and companies take back the "powers" they had back then :)
Intelligence is an old craft. Insiders are old as well. However, speed of life and increase in population coupled with new communication methods invalidate these old methods.
To protect their status quo, governments want their so-called vision back, and then some...
I don't agree. They want both. They want more!
What will happen tomorrow?
But terrorist suspect 'A' communicating with arms supplier 'B' is far more significant than terrorist suspect 'A' communicating with arms supplier 'B' asking 'B' to bring some potatoes tomorrow.
The value can definitely be in the payload, when both parties believe they are using a secure channel, see 'Encrochat' and a couple of others like it. But most of the time the things you should really worry about are going to look like 'bring me some potatoes'.
Boots on the ground, enough people to follow up on the leads available today would help a lot, and a budget to go with it to make that sustainable. Not more tech toys.
Anyway, I've written enough about this subject by now.
Were there no “intelligence boots on the ground” in the places I have mentioned?
It's the human intelligence gathering where these groups are deficient, but that doesn't scale, so just like the start-up investors the governments believe that they will be able to do this on the cheap by widening the net. But that won't work, it just means they'll catch a ton more krill, and very few extra fish.
I absolutely don't agree it's worth sacrificing our privacy though.
In every revolution we've seen, the elites are unable to comprehend or unwilling to compromise, and in every case, the longer it drags on, the more dispossessed they eventually become. US state population trends starting in the 1840s are currently generating increasing unrest as a function of the structure of the US senate resulting in a rule by minority. As the chamber becomes increasingly unrepresentative, the ability to reform it becomes increasingly less probably due to the structure of constitutional reform.
In a more perfect world, US population geographics would be modulated by representative power. That however, is not the case. State and local governments increasingly sort voters by self-selection bias. Further entrenchment and unwillingness to compromise will be gasoline for the current tinder.
The reason why plots get uncovered is usually because someone is stupid, not because of some exceedingly clever bit of code breaking. And let's be thankful for the fact that terrorism wouldn't work if all they were aiming for is mass death of their foes because for all of the fear that terrorists manage to sow they are cumulatively less effective over the course of 40 years than three days worth of COVID deaths,
pitchforks coming near.
Need to hold on to power,
hide secret contracts and manipulation,
to anyone daring to question,
Control is their only salvation.
We've already seen plenty of examples of that irl.
I'm sympathetic to that argument, but it seems to be employed very selectively by the tech industry.
We already rely on many backdoors of exactly that kind in form of mandatory auto updates. Not only is this seen as perfectly fine, it's widely regarded as a security best practice.
Why can Apple or Google or Microsoft manage to keep their signature keys secure for decades while any keys managed by a government agency would leak with mathematical certainty?
Also: who is to say that Apple, Google or Microsoft manage to keep their keys secret? Not all thieves would be stupid enough to tell, and nationstates tend to hold such advantages on ice until they have a good enough reason to use them.
And as some lower-hanging fruit: The repos of common programming languages and things like Docker Hub.
Python PIP, NodeJS NPM, Ruby Gems, we pull in a lot of stuff from people we don't even know. Every python project installs a gazillion of stuff from its requirements.txt. At least the OS updates come from a party we at least chose to do business with.
And it's not like this is not yet happening already. But I think it'll take a major Wannacry event before we'll stop doing this because it's just so damn handy.
But if you think of it, imagine you're coding and some random 'willywonka2586' on a public slack group says "Hey I wrote a handy library for that, here, go and install it and use it in a project for your customers!". This is kinda what we're doing.
Was it a Microsoft dependency?
At worst the entire industry in that region is broken more often than they are functional. It's also notable that companies existing in this state of brokenness would be competing with companies living in a functional world. One might find that the defective universe continues long enough its inhabitants are extinct.
It's not "perfectly fine"; but the alternative is millions of computers with known security vulnerabilities exploitable by anyone, which is far far worse than a potential backdoor used by large companies or governments.
At the very least, this would need some quantification of risk: Probability and impact of keys getting leaked vs probability and impact of not installing a backdoor.
Yes, of course.
And in the case of autoupdates:
1. the risk of finding a RCE in any random PC within the next few years is close to 100%
2. an unpatched RCE is strictly worse than a backdoor
3. how many computers won't be patched without forced autoupdates?
In the case of e2ee, I'm afraid it's much harder to quantify, though.
Unfortunately, our beloved decisionmakers are gerontocratic, completely incompetent and bought out by corporate interests that also don't want encryption (e.g. copyright industry).
That X makes things worse for people in general just isn't strong evidence that governments will not do X. If you don't want X then you need to explicitly push back.
In a nutshell, and in case it didn't register with you when it should have: attempts to curb cryptography have been made in the past. The phrase 'you can't outlaw math' is a simple observation: strong cryptography will be available to everybody that wants it regardless of its legal status. So a government that would love to read your mail would do better to realize that they will only be able to read the uninteresting mail and for the rest of it they'll be staring at white noise. Meanwhile the baddies, alerted to the fact that the government is able to read your mail will either resort to other methods of communications or will use channels that they assume to be overt to signal covertly using other methods. There are plenty of examples for this.
So, in conclusion, no matter how much you want to outlaw strong cryptography, those that want it will have it, better plan accordingly or all you will do is waste more time reading data that you will find stupendously boring.
Because the thing is, making encryption software is hard. I doubt there will be convenient and easy to install software out there if you ban this stuff. And the majority of people won't use it if it isn't convenient and easy to install.
This is the crux of your argument, but it's false. E2EE has been available for decades but it wasn't used widely, by everyone including criminals, until it was pushed as the default.
It's not as if all of the old volume of mail was steamed open and read or everybody's TV equipped with monitoring equipment. Even libraries did not track who read what (though they did track who borrowed what).
'Oh that, that's just white noise.'
'You are under arrest for illegal encription with the intent to <insert horrible criminal activity here>.'
And regarding internet privacy and secure communications, that's exactly what they want: for privacy to be associated (in the mind of the average citizen) with organized crime, terrorism and pedophilia.
and 99.x% of people aren't engaging in sharing child porn anyway, it's the 0.1% of motivated criminals that will share encrypted files anyway, no matter what the law is. They will find ways around the law, they always do.
This is a thinly veiled excuse to take basic human rights away from people.
Speeding is tied to one third of traffic fatalities the last 20 years (https://www.nhtsa.gov/risky-driving/speeding), so of course speed limits are put in place in an attempt to increase safety on the road. There are plenty of arguments to be made about the best way to enforce speed limits, or ways to discourage aggressive driving (such as speeding), but there is little doubt that speeding is dangerous.
Countries such as Germany have much lower traffic fatalities than the USA but they can operate vehicles at much higher speeds. Speed isn't the problem... uneducated drivers, poor vehicle maintenance, poor road quality, etc are the problem. But all those things would upset the masses who think they are entitled to operate a vehicle for 50 years after 2 months of training and a 15 minute test, so (in the USA) we get the lowest common denominator and roadways that are engineered to handle vehicles at 80+MPH are stuck with 55MPH speed limits.
Speed isn't the problem, neither are any of the others you mentioned. They all add to the problem of traffic fatalities though.
They did a study in Germany and were able to halve traffic fatalities by adding a speed limit of 130kph on one Autobahn section, measured over 3 years.
Sure you can improve road conditions and driver education, but a multi-pronged approach including speed limits is sensible.
That's absolutely not true. Sure, some stretches are just to generate revenue, but that you're not allowed to go 200km/h through a city is not for revenue generation. It's also not given by common sense - the fact that you need to set the limit 20 lower than what's save should be plenty of evidence.
This is an impossible task. There is no way they will be able to enforce this. It would literally require them to stick their dirty fingers into every piece of software built in the EU.
They can attack large corporations like ISPs and such and force them to do certain things, sure, but there is no way they can "ban" any kind of encryption with any real success, because, as the OC said, it's basically trying to outlaw mathematics. Forcing ISPs to perform deep packet inspection or whatever won't change the axioms of mathematics or fundamentally alter computer science so that they can suddenly break encrypted data coming from their clients.
Of course, the argument is that this is to combat criminals and we all know that it doesn't work that way, but it doesn't matter at the end of the day if the true goal is to just monitor people.
You are not interested in just "people". You are interested in very specific subgroup of those (1-x)% that already operate outside the law.
And another fact is that these bans can even give you access to the people outside of the law. Practical example, Australia's sting operation of pushing their own 'secure' app on the blackmarket to lure criminals in. (https://www.washingtonpost.com/world/2021/06/08/fbi-app-arre...)
Now that math, logic and reason are outlawed, soon I expect ethics and metaphysics to also be outlawed. Of course these fundamental ideas still exist, but if you use them they’ll throw the book at you!
A nonsensical book full of gobbledegook.
It's about control of dissent, about data mining, about preventing unrest. We have seen tiny glimpses of what can happen with France's Yellow Vests... and there is massive potential for unrest: socio-economic differences (wealth disparities), prices of must-have goods (energy, food, housing), corruption in all its forms, political ineptitude and incompetence, discrimination issues, climate protection measures (Yellow Vests) or the lack thereof (Extinction Rebellion), and sadly also measures to fight the coronavirus pandemic (e.g. the current riots in the Netherlands and Belgium, the near-storming of the German parliament).
Don't be fooled that it won't work. It works in China and they have math there too.
The only thing China will succeed in is extending the gerontocracy for a little bit longer. But eventually the cost of strongly encrypted communications will drop to zero and then the information advantage that the government has is over.
Think 'Starlink' + a couple of rounds of tech improvement and the GFOC might as well not exist. The question is will the people care? In China, I'm not so sure. In the West, maybe they will, maybe they won't, but I for one will be happy to utterly ignore this if it ever makes it into law. Right now I don't bother encrypting my mail, but if this happens I might drop off the grid entirely, and I'll make it my mission to spread strong crypto as far and as wide as I can.
But for now it's just a misguided proposal by a clueless bunch of bureaucrats.
In this case, it's simply a matter of crafting the law in such a way that, say, possession or use of strong encryption without government backdoors automatically makes you a terrorist, the same way that possessing lockpicking tools automatically makes you a thief in Illinois. Then, once your communications become a little too random, the authorities can raid your computer and that of everyone you're connected with, arrest you and take you to a black site, and squeeze you for information (including rubber-hose cryptanalysis). And they're bound to find something juicy because most of the people going to the trouble of illegally using unbackdoored crypto are indeed terrorists, pedophiles, and other criminals. Using the "once X is outlawed, only outlaws will use X" effect to good effect.
I'm sure some people have been arrested and prosecuted but that's just symbolic scapegoat tactics and a pebble trying to stop the tide.
The laws you are describing are never going to be put into effect. It's just not going to happen. I don't believe the EU is full of people stupid enough to let it happen.. and even if it did, all the member states don't just automatically adopt and enforce every law immediately without thought. There are plenty of reasonable member states that just wouldn't accept these insane laws, or have populations which wouldn't accept them.
I think that’s wishful thinking, given the previous experience of Clipper chip and 40-bit encryption rules in the USA and the Investigatory Powers Act in the UK.
Even as a British national living in Berlin, when I submit an app to Apple I have to agree to let the US government know about any use of cryptography by the app (by my reading including HTTPS, which is hope is merely legal caution rather than actual obligation).
They just want to add a de jure veneer to it.
For de facto leadership follow the US example. For de jure leadership follow the Australian/Chinese model.
But there is another big difference: Currently services they can't tap into will be forced to make arrangements for this to be possible. Not sure how they will do this with the more decentralised platforms like Matrix but they will probably find a way :(
I'm sure the power-hungry in other democracies want this too, because having secret secret courts is a liability.
But I think secret courts won't fly on a large scale. People have connections and they will pipe up eventually. Maybe not every time but it will happen.
You don't have secret courts.. yet. Anyway, it doesn't actually matter if you have secret courts or not, for high profile targets. The US has them and the US also has extradition treaties. And if you do have legislation against spying on your own citizens, your allies don't, they can do it for you and then share intelligence.
This whole effort is to short-circuit all of that and streamline an existing process.
Because if it was only the high-profile cases the intelligence services already have huge permissions in terms of hacking, infiltration etc.
It's just that if you start collecting conversational data from everyone, you need AI to go through it. It's simply not possible to do it manually.
And once you get AI involved, scope creep is guaranteed because of the huge advancements being made in that area.
There's no way we can stop AI from being built but we can still stop some of our data from going into it.
In exchange, the police staff, their corporate friends and their political masters can know what you are doing in the restroom when you take a roll of toilet paper with you, or when you negotiate a business agreement in a bar.
What actually ends up happening is called "parallel construction" where the evidence collected illegally is passed on to another party who "legally" builds it up to be accepted by the court.
My tinfoil/ CSI tv experience/ common sense tells me you can show a fellow human being something naughty, like illegal sting results, in private if you exert good judgement before, during and after the meeting.
Edit: Where I live, search warrants aren't required by the police. Which is a good thing (for regular people) provided the inaccessibility and corruption of the judicial power.
If you're saying that cops and judges collaborate to get search warrants based on evidence they both know was obtained illegally... sure? It probably does happen on occasion, but I doubt it happens nearly as much as you seem to think it does.
FISC meets in secret, and approves or denies requests for search warrants. Only the number of warrants applied for, issued and denied, is reported. In 1980 (the first full year after its inception), it approved 322 warrants. This number has steadily grown to 2,224 warrants in 2006. In the period 1979–2006, a total of 22,990 applications for warrants were made to the Court of which 22,985 were approved (sometimes with modifications; or with the splitting up, or combining, of warrants for legal purposes), and only 5 were definitively rejected.
As for probable cause they just sidestep such niceties all the time using many many tricks including buying data from your carriers and credit card providers.
If it turns into law I'll stop going to work. If I do that the project I'm in will fail, followed by my team collapsing, followed by my whole office revolting, followed by my employer crashing, followed by several Swedish cities turning to the streets in anger, followed by the whole of Sweden disintegrating, followed by the whole of Europe proclaiming "our know-it-all moral compass is gone" followed by Europe wide collapse, then American collapse.
Don't you worry for once second, peps, I got this.
- Very powerful EU citizen
I can't help but to think they are two sides of the same coin. Meaning that consumer friendly internet regulations we can all more or less agree on (e.g. let me cancel subscription online), is very correlated to consumer hostile ones (e.g. banning encryption and restricting ISPs).
Am I thinking about this wrong?
Cryptography, in particular strong cryptography has become essential for business, a good chunk of our economy now has a cryptographic element to it. You can't expect that to survive without giving the baddies the same level of access that the government is demanding, besides that, the amount of noise they will have to deal with far outweighs any possible advantage.
At best there will be some drop in crime because of people being more aware of the chance of being caught but in the past such differences did not seem to make much impact. People will do what they will do, irrespective of the chance of getting caught.
All of these things are operating as points between two different extremes, the 'good balance' usually lies somewhere in the middle between the protection of rights on the one end and the ability of the authorities to do the jobs we entrust them with. A lot of these technical ideas originate from the perspective that if it can be automated it will be cheap and if it is cheap then they'll be able to fund it. Whereas good intelligence is super expensive, it requires boots on the ground in greater numbers than is currently possible within the budget constraints that there are. Europe is in this sense much more stingy than say the USA and that alone is a big driver behind all these digital tricks.
Also: do note that this is a proposal.
I feel journalists and in-hostile-nation citizens are a smokescreen for more monied interests.
I also support brexit. I would prefer for the UK to be in the EU because it would make all of us stronger and closer, as I think we should be, but I have to accept that current UK culture is just not compatible with the European project.
Good luck to my British friends, who I know see me as "foreigner". I don't see you as foreigner.
I guess that must be true of the political elite in the major (remaining) EU countries, or it wouldn't be the policy, right?
But for, say, Hungary, where I have a lot of experience, I'm pretty sure basically nobody thinks "increasing integration" should be the goal. Well maybe some tiny minority who happen to work for the EU itself.
The integration everyone cared about already happened, except for the currency integration which will never happen. (IMO good that it won't.) Now you have one side that would like to use the EU as a cudgel for rule-of-law questions but only without interrupting the flow of money; and another, more powerful side that uses the EU as a dog-whistle for nationalists as long as it doesn't interrupt the flow of money.
I can't speak for "Europe" (neither can Brussels) but I know a lot of people in Germany who also think there has been quite enough integration already, thank you. Try ordering an espresso in Berlin without speaking English.
(I neither supported nor opposed Brexit as I'm just a dirty foreigner in the EU either way, but I have sympathy for those who did so on principle.)
I'm not sure what this means.
> in the major (remaining) EU countries, or it wouldn't be the policy, right?
It is not some policy, it is an international treaty signed by every current in the EU. This would be like saying that NATO is "a policy". By the way, the remaining countries are 27. 13 of those joined since the year 2000 and one left.
> except for the currency integration which will never happen
Yes it did. What a bizarre statement.
> Try ordering an espresso in Berlin without speaking English.
I live in Berlin. You can order anything in German anywhere. This is at best a gross exaggeration, at worse an outright lie. It was exactly this type of "fact" that was used to convince a lot of British people to commit brexit.
I'm so surprised that here in HN, I keep seeing comments complaining about "banners" disclosing the fact that every interaction with the website is monitored by probably every mega corp out there.
If you don't like the banners, tell the websites not to collect your data for profit, rather than complain about knowing that they do.
Doesn't make much sense.
The threat of federalisation being imposed on the UK was just another lie.
That aside, if UK voted to support federalisation, what would be your principal fear?
The Tories seem mostly to have gone about increasing wealth disparity (dodgy contacts, corruption in parliament, tax breaks for the rich, pay freezes [ie real terms pay cuts] for the poor). What's their next move?
That's an interesting take because I've always thought, as an outsider, that the British population seems strangely accepting of authoritarian governments.
The EU's democratic deficit, and the fact that these regulations can be rolled out to most of the world's major economies without any proper debate or (likely) checks and balances, proves the dangers of political organizations that are bigger than "human sized". How do you even protest this? Any country is forced to listen to mass protests, but there's no such thing for the EU.
Surely, taking your argument as truth, Scotland is smaller than the UK and therefore stronger than the UK?
And yes, Scotland will exist for longer than the UK will, in all likelihood. They are "more durable" as I said. Them leaving would lead the UK to cease to exist in its current form.
A world is essentially impossible to achieve anyway, because super powers don't want anyone to dictate rules.
The EU is not a mini-world government. it's an attempt at unifying many small nations to achieve peace and World power status. on their own, European countries are at the mercy if the US and China.
Just about 32 years ago the Berlin Wall fell and shortly after the Stasi files were proudly presented as an example of tyranny. Now the German government wants to do the same.
But I very much doubt actual such legislation will get enacted. There is not even an actual proposal yet, only articles like this saying one is coming soon.
We do know CSAM screening legislation is coming as the current voluntary rules have a 3-year time limit - but it is, in my opinion, very unlikely there will be mandatory screening, despite some people reportedly pushing for it.
In my opinion, such legislation would be unlikely to pass EU parliament. It is more likely that the current temporary rules allowing voluntary screening get reworked into a permanent legislative proposal.
AFAIK the only relevant official procedure here is this initiative that sought feedback from affected parties (and it does not mention mandatory screening - instead it asked for opinions on what should be done): https://ec.europa.eu/info/law/better-regulation/have-your-sa...
In my opinion it is not a fiasco at all. It simply allows the current pre-Dec-2020 practice of voluntary screening to continue for a limited period of 3 years (so they have time to get a proper permanent legislation in place). Privacy rules changed in Dec-2020 that made voluntary screening effectively illegal, hence the stopgap.
It just avoids GDPR unintentionally making it illegal for service providers to scan for CSAM without opt-in user consent from every user involved, and only does so for a temporary period until legislation that formally defines service provider responsibilities is ready.
Personally, I'm fine with that. I firmly agree that private E2E messaging should not be banned (the suggestion in this post, which as noted above is not currently a real proposal) but I don't think that means service providers should be forced to blindly host user data that may contain CSAM against their will.
There is no such proposal as of yet.
In my opinion, the last regulation applied in July 2021 was sound (final text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...), allowing a 3-year extension to the existing practice of voluntary screening until a proper legislation can be finalized.
Some would have wanted to completely disallow voluntary screening (which would have been the case had the regulation not been adopted, due to privacy law changes in Dec 2020), too, and I can understand that position. But that is seemingly not shared by European Parliament who voted to allow voluntary screening to continue (they did shorten the time period to 3 years from the original 5, though, by an amendment).
It would literally be less bad for all display and input devices to have a (password protected, randomly created at time of manufacture) police access mode, than to ban cryptography.
I talked to my local MP about the UK’s Investigatory Powers Act when that came up. I still don’t understand why the UK decided to allow the Welsh Ambulance Service in particular to access, without a warrant, the recent “internet connection records” of everyone except sitting MPs and certain protected professions.
GCHQ even proposed a 'ghost protocol' so they can play Mallory in your comms. Infact I don't even trust the phone itself, since they /ship/ with Google/Apple-sponsored malware and phones are being hacked all the time.
Messenger apps are strange because they all have different caveats to each, and I've tried them all. For example: Signal requires a phone number, which by design, can leak your 'meatspace' identity. Some people don't like that, so they use Matrix (which has its own caveats too).
Personally, if the authorities go after messaging apps, it's not a big hit for me, since I don't use them heavily. I can see why businesses would take a hit since they want to protect business secrets, and protestors would take a hit & can't organize etc, but it won't affect me heavily. YMMV.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE... is the strategy document.
So far, there is a temporary derogation from the ePrivacy Directive (https://www.europarl.europa.eu/RegData/docs_autres_instituti...). The ePrivacy directive as part of the EECC forbids (for the sake of discussion) email providers from scanning Maildirs, even if those maildirs are cleartext (as is the case for the majority of providers, s/Maildir/backend storage). The temporary derogation lets them scan for CSE in these sources.
I don't see any proposed regulation explicitly targeting end-to-end encryption, but their strategy document does seem to label end-to-end as a problem, citing the NCMEC (US). The project is here: https://ec.europa.eu/info/law/better-regulation/have-your-sa... .
The EU is not just a commercial organization. It is an actual political union. The English-speaking press tends to hate mentioning this, but it is the truth. The treaty of Lisbon says that the goal of the European Union is to create an "ever closer" union between the member states. Every member state signed up for this.
> I would've thought that this was outside the scope of the EU
Few things are outside the scope of the EU.
> was power constitutionally transferred to the EU parliament at some point?
It is a very complex topic, but the short answer is "yes". Member states agree to translate EU parliament decisions into national law at their own time. They have the ability to veto any initiative through other channels.
> If a member nation refused to obey an EU law (or whatever it is), what sort of punishment or sanction could be applied to them?
This things are usually dealt with through diplomacy. There is a lot of tolerance. Often nothing happens but many types of sanctions (usually economical) are possible.
The EP has yet to vote on this.
And the EU also has mechanisms to impose penalties for countries that fail to comply, but in practice this is rarely done for political reasons.
These attempts at outlawing encryption of any form should be met with a lot more pushback from now on.
Note that you are comparing a proposal on the one side with a law on the other.
Or, to be clear, it isn't.
For this to be turned into a law it would need to go through several steps, and currently there really isn't any reason to think that it will.
Maybe this is why we are reading this on a blog from an email provider and not the front page of a newspaper.
Jan Philipp Albrecht was appointed as rapporteur of the European Parliament for the process of the GDPR law making. His job was to take care of the process to find compromises between many opinions and fill them into law. Since he actually cares about privacy, he was in a position to make sure that the compromises keep a certain level of privacy protection. He's from the german "green/environmental" party.
There is an interesting documentary about his role and the process: "Democracy: Im Rausch der Daten". I don't know if there is an english version. There is a german version on youtube.
The "mistake" was to appoint him as rapporteur.
The "mistake" was not repeated, when Axel Voss from the german conservative party was appointed as rapporteur for the "Directive on Copyright in the Digital Single Market (2019)".
(Note: The law making process in the EU is long and complicated and I do not know where this draft is currently in the process.)
I am sure there are some people who clearly enjoy pressing on the cookie popups when they travel to Europe like popping zits. Maybe it is the Eurocrats in Brussels.
But the start-up in a garage example was - at least, that's the way I read it - meant as there currently not being a level playing field with respect to end users, not necessarily employees. And let's be perfectly clear here: employers that are callous with their employees data are to be avoided like the plague, no matter where they are located.
As for your customers: yes, you should be careful with that data, and no, their feedback does not necessarily fall under the GDPR, only when it concerns the privacy of the individuals mentioned therein. But normally speaking such feedback would not be about such specifics but about the product itself.
Not tracking your users has a big impact on how a company is set up, what data marketing has access to, what data system administrators and sometimes even programmers have access to. Storing your data in an anonymized way can make good sense. It likely will impact your business, but leaking of that data will impact the lives of your customers more, so that's why the GDPR is written the way it is: you minimize your footprint to that which you need and you will be doing just fine.
Let's says that 1 out of every 3 product / service reviews is like this. Do you (a) block/filter them out and treat the remaining ones as non-personal data, or (b) treat your feedback pipelines/database as personal data regardless of whether some of the reviews are, somehow, devoid of personal data?
(Or (c), do you not think the example above contains personal data?)
I'd say it definitely is my personal data, telling you - inter alia - about the objects I own, the opinions I hold, and my recent behaviour.
In what way?
Unless the plan is to go straight to the US market, to domicile there and to hire employees there to get started, as it's a radically more lucrative advertising market than the EU, in part thanks to GDPR.
The US market still largely has a comparatively laissez-faire approach to advertising, personal information and privacy. In the US you can still build a tech juggernaut in the way Google and Facebook did, by way of rather invasive advertising practices. You can't do that in the EU today, zero chance. In the US market you can jump-start a company that way, and if you have to later on you can look at dialing back or changing your exact business model. You don't have that option in the EU, you're far more heavily restricted, it cuts off your ability to liberally utilize a gigantic advertising market in the way US companies can. It provides US start-ups a big advantage. You set up in the US, grow into the huge US market, then use your resources to go into Europe and comply with their various requirements (along with paying their slap-on-the-wrist fines inevitably).
The real danger of encryption, and in particular blockchains, is that it can subordinate the legitimacy of the state and its policies and actions to a test of truth, and this is why they hate it. The abuse and terrorism arguments are red herrings for this to distract from this fundamental dynamic.
EDIT: Noone types the message-letters on a hooked-up machine. You prepare / encrypt the payload before you paste it onto the sending computer / device. Anything withing the Base 64 you paste into the message-field should be impenetrable.
This has worked reasonably well for decades, in Europe's liberal democracies, for pain old telephone, mail, searching apartments, etc. Yes, there have been mistakes and failings, but by and large this system works, and prevents substantial harm.
These powers need an actually independent judiciary in a strong legal system (ie. not the us). And they need to be kept out of the hands of secret services (as opposed to genuine police work overseen by judges in the public record).
You're basically describing some magical fantasy land where the ability to utilize the backdoor could be restricted to "genuine police work" by the legal system. Here in reality, we have to acknowledge that it's impossible to do that.
Additionally, service providers MUST inform you that you they have scanned your data for CSAM: "Service providers should inform users in a clear, prominent and comprehensible way that they have invoked the exemption provided for in the Regulation"
Yorkshire or London didn't get a veto over leaving either, and both have larger populations than Scotland
I still vote but I don't really see the point anymore either. The game seems rigged.
by design: the EU acts as a ratchet: powers that formerly belonged to national parliaments are transferred to it, and can't be transferred back
those powers are then exercised by the executives of Europe's governments rather their parliaments
the same is true of EU legislation: once the "parliament" has rubber-stamped legislation: it can't revoke it
I've always thought that was weird. I'd want to vote for them directly.
I don't mind the power transfer per se. Within Europe a lot of things make sense to do Europe-wide. In fact a lot of things are not done Europe-wide which I think would make a lot of sense to do so. Like transportation: A lot of countries have extra taxes like 'vignettes' for foreigners while others haven't. So if I go there I have to pay but they don't pay when they come to my country. Of course countries that see a lot of transit traffic should be paid but this should just be paid straight from the EU IMO. It's creating unnecessary barriers. There should also be an EU driving license instead of having to get it locally where you live at the time and losing categories which don't exist there. And why do we still have separate train systems and road rules? Mutualising traffic signs to minimise mistakes is something that could really save lives.
And social welfare, right now it's a total pain if you have worked in several EU countries. Pensions etc are fragmented like crazy and there's a lot of paperwork.
But instead they focus too much on merging the national markets to appease big business IMO. Instead of tackling the real issues for citizens.
Why the disconnect? That's my fundamental question.
And the pro-surveillance push sadly is fairly endless, see also countries trying to introduce general recording of internet metadata despite the EU top court repeatedly having made clear that that's not going to be a thing that survives a legal challenge.
to the people who complain, we didn't hear you when the US kept (is still is) massively tracking you
and let's not talk about all free apps on your favorite smartphone, they track you to death
but who cares, nobody should track me for everyone safety! only for everyone's lack of privacy!
Note that in a very large number of terrorist attacks the knowledge was already available, but it either wasn't acted on, communicated improperly, not given enough urgency or lost because too much time was spent looking at spurious signals. Every time the amount of information available goes up that last factor will grow. Signal vs noise is the main contributor in why 9/11 happened, and the same goes for a lot of other terror attacks as well. But that sort of admission requires a complete review of how this is all practiced, would require an end to the security theater and would cut a whole lot of pork. I'm somewhat skeptical that this will happen.
But more security theater moves to appease Joe Public and look tough, of course.
9/11 happened because they let it happen
Jets would come at you if you flew over cities without permissions
Why do we encrypt things in the first place? because lack of trust
Maybe let's fix that instead of expecting society should lack "trust" between actors
Respectfully, you're nuts.
I am saying they weren't prepared for the fact that such event could happen
And this is the same as expecting states to not apply surveillance despite encryptions
If we are not prepared, then it can happen
And if we don't want to be prepared by choice, then we let that kind of event happen
The problem was that even if the information was available to them they didn't act on it timely.
You weren't listening then.
And it's not exactly a ban either. It's about a mandatory backdoor in encrypted communication.
Not that makes it any less bad but it's important to clarify. The title is not clear about this.
Then maybe you should?